On 06/15/2012 01:40 PM, Simon L. B. Nielsen wrote:
On Jun 11, 2012 1:22 AM, "Robert Simmons"<[email protected]> wrote:
Would it be possible to make FreeBSD's bootcode aware of geli encrypted
volumes?
I would like to enter the password and begin decryption so that the
kernel and /boot are inside the encrypted volume. Ideally the only
unencrypted area of the disk would be the gpt protected mbr and the
bootcode.
I know that Truecrypt is able to do something like this with its
truecrypt boot loader, is something like this possible with FreeBSD
without using Truecrypt?
I just booted off a USB flash key. Then your entire drive can be encrypted.
While true, the point (to me at least) is that with your kernel (and in
Linux's case, initrd) in the clear it's possible for someone to bury a
trojan of some sort in there waiting for you to boot up and start doing
something nefarious (open backdoors, keylogging, etc.). I suppose you
could check hashes of the kernel stuff and whatnot on booting to see if
they haven't been modified, but that's not fool-proof either. That's
obviously some pretty cloak and dagger stuff, but the company I work for
requires full disk encryption. I've never actually asked if /boot
counts, somewhat fearing the answer and resulting hassle from the
largely paper-pushing security types.
The USB key method isn't bad, but it realistically only adds obfuscation
unless you keep your laptop and the key separate. Knowing myself, I'd
forget one or the other fairly often. :)
--
Matt Piechota
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
